potiuk commented on code in PR #69417:
URL: https://github.com/apache/airflow/pull/69417#discussion_r3525652943


##########
dev/README_RELEASE_PROVIDERS.md:
##########
@@ -513,6 +556,13 @@ key you want to use.
 
 ## Build and sign the source and convenience packages
 
+> [!NOTE]
+> Under the [delegated 
process](#delegating-release-duties-to-a-non-pmc-committer) this signing step

Review Comment:
   I think this should be both -> building and signing. Just signing is not 
enough. When PMC member is signing the release  they should be quite **sure** 
it's been generated from sources - which practically means that they should:
   
   a) checkout the sources
   b) switch to tag/look at commit hash
   c) build the packages
   d) sign them
   e) push both packages and signatures/checksums to SVN
   
   While "technically speaking" just signing is needed by the PMC member, 
practically it means it needs to be also built locally by the PNC member - this 
is explained in this FAQ: 
https://www.apache.org/legal/release-policy.html#owned-controlled-hardware
   
   If you short-cut it and 
   
   a) committer builds the package and pushes it to SVN
   
   then
   
   b) PMC member signs it
   
   Then practically PMC member does not know what they are signing. This can be 
somewhat mitigated by reproducibility. When the PMC member can reproduced 
binary the same packages (i.e. build them) - they should be OK to sign the 
packages submitted by someone else - becasue they are binary the same. However, 
the pragmatic side of it is that if the PMC member anyhow already built the 
packages (to be able to compare it) - it's easier to just sign and commit the 
built binaries. Because they are anyhow the same.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to